Patch-ID# 100630-02
Keywords: security, login international, su, LD_ environment variables
Synopsis: SunOS 4.1.1, 4.1.2, 4.1.3: SECURITY: methods to exploit login/su
Date: Sep/17/93

SunOS Release: 4.1.1;4.1.2,4.1.3,4.1.3C

Unbundled Product: 

Unbundled Release: 

Topic: SECURITY ISSUE: login and su exploitable via LD_ environment variables.
       SECURITY ISSUE: /usr/5bin/su sets a path that begins with ".".

BugId's fixed with this patch: 1085851 1121935

Relevant Architecture: sparc
    NOTE: sun3(all), sun4(all)

Patches accumulated and obsoleted by this patch: 101074-01

Patches which may conflict with this patch: 

Obsoleted by: 

NOTE: Obsoletes: This patch merges in the changes for and obsoletes patch 101074-01

Files included with this patch: login, su, su.5bin

Problem Description: 

1085851	a dynamically-linked program that is invoked by
	a setuid/setgid program has access to the caller's environmental
	variables if the setuid/setgid program sets the real and effective
	UIDs to be equal and the real and effective GIDs to be equal before the
	dynamically-linked program is executed.  A vulnerability exists if the
	UIDs and GIDs are not equal to those of the user that invoked the
	setuid/setgid program.

1121935 /usr/5bin/su assigns a path of .:/bin:/usr/bin:/usr/ucb:/etc:/usr/etc
        which starts with ".". System is then vulnerable to trojan horse
        programs.

Note that this patch contains the international version of /bin/login
that users who are not using the US Encryption Kit need to install.
Patch 100631-01 contains the domestic version of /bin/login. /usr/bin/su
and /usr/5bin/su from this international patch are suitable for
sites that use the US Encryption Kit.

Note for users of C2 security package under 4.1 and 4.1.1 only, use the
login program from patch 100201-05 (or later version).

Install Instructions: 

Perform all commands as root.  It is strongly recommended that the install
be performed in single user mode if user logins are possible during the
execution of these commands.

Make a copy of the old files:
mv /bin/login /bin/login.FCS
mv /usr/bin/su /usr/bin/su.FCS
mv /usr/5bin/su /usr/5bin/su.FCS

Change permissions on old files so they can't be executed:
chmod 0400 /bin/login.FCS /usr/bin/su.FCS /usr/5bin/su.FCS

Install the patched files:
cp `arch`/login /bin/login
cp `arch`/su /usr/bin/su
cp `arch`/su.5bin /usr/5bin/su

Change the owner and file permissions of the new files:
chown root.staff /bin/login /usr/bin/su /usr/5bin/su
chmod 4755 /bin/login /usr/bin/su /usr/5bin/su

